[Snort-sigs] new db entry
bianco at ...536...
Fri Apr 19 18:05:17 EDT 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC r00t attempt";flags: A+; content:"r00t"; classtype:attempted-admin; sid:211; rev:1;)
Possible root kit installed on destination machine.
An intruder could have total superuser acccess to the compromised machine
This rule works on the assumption that if anyone telnets into a machine
on your network and the string "r00t" appears, then it must be an attempt
to install a rootkit. "r00t" is 3l33t h4x0r speak for "root", the Unix
superuser. This string may be common to any number of rootkits or even
This may not be an attack itself. Rather, uploading a rootkit is what
usually happens *after* a successful compromise.
Ease of Attack:
Moderate. A legitimate user could type "r00t" into his favorite text editor
or email program while logged into your machine via telnet and trigger this
Not applicable, since this isn't a specific attack. Any rootkit that
doesn't use the term "r00t" would fail to trigger. Don't rely on this as
your only mechanism.
Get a copy of chkrootkit from www.chkrootkit.org and run it on the host
which you suspect to be compromised. Chkrootkit will search for many
known rootkits and tell you if it finds any.
David J. Bianco <djbianco at ...144...>
More information about the Snort-sigs